X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=mediagoblin%2Fdecorators.py;h=9cac1cfaa9fd1c1529e709cfde5cad389029f9fc;hb=707001950a42c7adfd6657f227a2c2dbbd09afce;hp=081eda623f08c0d386d903bfbc9e4234aed4dba4;hpb=7f8a70ef25a36561042b34afba899ecf37aacfdc;p=mediagoblin.git diff --git a/mediagoblin/decorators.py b/mediagoblin/decorators.py index 081eda62..9cac1cfa 100644 --- a/mediagoblin/decorators.py +++ b/mediagoblin/decorators.py @@ -1,5 +1,5 @@ # GNU MediaGoblin -- federated, autonomous media hosting -# Copyright (C) 2011 Free Software Foundation, Inc +# Copyright (C) 2011 MediaGoblin contributors. See AUTHORS. # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by @@ -17,7 +17,7 @@ from webob import exc -from mediagoblin.util import redirect +from mediagoblin.tools.response import redirect, render_404 from mediagoblin.db.util import ObjectId, InvalidId @@ -38,19 +38,36 @@ def require_active_login(controller): def new_controller_func(request, *args, **kwargs): if request.user and \ request.user.get('status') == u'needs_email_verification': - return redirect(request, - 'mediagoblin.auth.verify_email_notice') + return redirect( + request, 'mediagoblin.user_pages.user_home', + user=request.user['username']) elif not request.user or request.user.get('status') != u'active': return exc.HTTPFound( location="%s?next=%s" % ( request.urlgen("mediagoblin.auth.login"), - request.path_info)) + request.full_path)) return controller(request, *args, **kwargs) return _make_safe(new_controller_func, controller) +def user_may_delete_media(controller): + """ + Require user ownership of the MediaEntry to delete. + """ + def wrapper(request, *args, **kwargs): + uploader = request.db.MediaEntry.find_one( + {'slug': request.matchdict['media'] }).uploader() + if not (request.user['is_admin'] or + request.user._id == uploader._id): + return exc.HTTPForbidden() + + return controller(request, *args, **kwargs) + + return _make_safe(wrapper, controller) + + def uses_pagination(controller): """ Check request GET 'page' key for wrong values @@ -59,9 +76,9 @@ def uses_pagination(controller): try: page = int(request.GET.get('page', 1)) if page < 0: - return exc.HTTPNotFound() + return render_404(request) except ValueError: - return exc.HTTPNotFound() + return render_404(request) return controller(request, page=page, *args, **kwargs) @@ -77,12 +94,11 @@ def get_user_media_entry(controller): {'username': request.matchdict['user']}) if not user: - return exc.HTTPNotFound() - + return render_404(request) media = request.db.MediaEntry.find_one( {'slug': request.matchdict['media'], 'state': 'processed', - 'uploader': user['_id']}) + 'uploader': user._id}) # no media via slug? Grab it via ObjectId if not media: @@ -90,18 +106,19 @@ def get_user_media_entry(controller): media = request.db.MediaEntry.find_one( {'_id': ObjectId(request.matchdict['media']), 'state': 'processed', - 'uploader': user['_id']}) + 'uploader': user._id}) except InvalidId: - return exc.HTTPNotFound() + return render_404(request) # Still no media? Okay, 404. if not media: - return exc.HTTPNotFound() + return render_404(request) return controller(request, media=media, *args, **kwargs) return _make_safe(wrapper, controller) + def get_media_entry_by_id(controller): """ Pass in a MediaEntry based off of a url component @@ -112,11 +129,11 @@ def get_media_entry_by_id(controller): {'_id': ObjectId(request.matchdict['media']), 'state': 'processed'}) except InvalidId: - return exc.HTTPNotFound() + return render_404(request) # Still no media? Okay, 404. if not media: - return exc.HTTPNotFound() + return render_404(request) return controller(request, media=media, *args, **kwargs)